←back to thread

The Dangers of Microsoft Pluton

(gabrielsieben.tech)
733 points gjsman-1000 | 1 comments | 26 Jul 22 03:46 UTC | HN request time: 0s | source
Show context
Gh0stRAT ◴[26 Jul 22 06:26 UTC] No.32235028[source]
I'm completely missing how his example of a Word document that can only be opened by approved users on approved hardware within the corporation is supposed to be a bad thing.

Honestly, that sounds pretty fantastic. I've been using 3rd party tools/extensions to do this sort of thing in corporate and government environments for years, but having the attestation go all the way down to the hardware level is a big value-add, especially with so much ransomware/spyware/extortion/espionage going on these days.

Can someone please explain to me how the author might see this level of security as a bad thing?

replies(18): >>32235120 #>>32235149 #>>32235164 #>>32235474 #>>32235546 #>>32235795 #>>32235875 #>>32236359 #>>32236639 #>>32236668 #>>32236673 #>>32236797 #>>32236864 #>>32237450 #>>32237580 #>>32238544 #>>32238583 #>>32240740 #
zaptheimpaler ◴[26 Jul 22 07:56 UTC] No.32235546[source]
The same things that make it good in a corporate environment can make it abusive in a personal machine.

By forcing the kernel to be untamperable, Microsoft can arbitrarily enforce ANY policy they choose on your PC. They could spy on every single piece of network communication. They could ban any given software from being able to run on Windows - maybe Chrome, maybe Steam, any competitor at all. They actually could easily enforce laws on banned content too - any given website, book, audio or video could be impossible to consume, and an attempt to try could be reported to Microsoft. They could stream the contents of your display and mic and camera at any time to anyone they choose. There is literally nothing they cannot do with complete control over the kernel. And since the kernel and Windows itself is closed source, there are ways to hide all of it so you would never even know.

Security is great but it also goes hand-in-hand with control and surveillance. Every capability to increase security also increases the amount of control those providing the security have.

replies(3): >>32236159 #>>32237179 #>>32238115 #
resfirestar ◴[26 Jul 22 13:38 UTC] No.32238115[source]
Microsoft doesn't need an "untamperable" kernel to force spying on users. Windows 10/11 has horrible invasive telemetry that can't be disabled, but no one has figured out how to modify the OS and strip it out, all the "solutions" involve temporarily disabling services or blocking network traffic. Is there actually some new capability here that points to future surveillance and censorship, or are you just fitting everything Microsoft does into a narrative where these things are just around the corner and waiting for the right technology? In my opinion the technology has been there for many years, it's just waiting for the US to go insane enough to implement massive censorship.
replies(3): >>32239614 #>>32240277 #>>32245763 #
reedjosh ◴[26 Jul 22 16:17 UTC] No.32240277[source]
But you can install your own OS. You can't disable this tool via another OS.

Particularly now that heterogeneous computing is making it big, video decoding can easily just be made not to work unless this tech stack okays it--regardless of the OS.

This chip could all out disable other operating systems if they don't provide the spyware telemetry that Microsoft requires.

replies(1): >>32240456 #
1. resfirestar ◴[26 Jul 22 16:30 UTC] No.32240456[source]
By "this tool" do you just mean the Pluton system in general or some specific thing? The attestation stuff is a software feature that would be disabled by booting another OS that doesn't support it. It needs the Pluton hardware to be possible, but the software side is in the OS not hardcoded on the chip.

Disabling other operating systems would be done by the BIOS if manufacturers locked down the configuration of existing secure boot functionality, doesn't need any new features.